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We propose a verified approach to the formal verification of timed properties using model-checl<ing 
techniques. We focus on properties expressed using real-time specification patterns, which can be viewed 
as a subset of timed temporal logics that includes properties commonly found during the analysis of 
reactive systems. Our model-checl<ing approach is based on the use of observers in order to transform 
the verification of timed patterns into the verification of simpler LTL formulas. While the use of observers 
for model-checking is quite common, our contribution is original in several ways. First, we define a formal 
framework to verify that our observers are correct and non-intrusive. Second, we define different classes of 
observers for each pattern and use a pragmatic approach in order to select the most efficient candidate in 
practice. This approach is implemented in an integrated verification tool chain for the Fiacre language. 

Formal Methods. Verification. l\Aodei-Cf)ecl<ing. Specification Patterns. Time Petri Nets. 



1. INTRODUCTION 

distinctive feature of real-time systems is to be 
subject to severe time constraints that arise 
from critical interactions between the system and 
its environment. Since reasoning about real-time 
systems is difficult, it is important to be able to 
apply formal validation techniques early during the 
development process and to define formally the 
requirements that need to be checked. 

In this work, we follow a classical approach to 
model checking: (1) we use a high-level language to 
describe a model of the system; (2) we use a logical- 
based formalism to express requirements on the 
system; and (3) the verification consists in compiling 
the system's model and requirements into a low-level 
model for which we have the appropriate theory and 
the convenient tooling. We propose a new treatment 
for this traditional approach. In particular, for point 
(2), we focus on a dense real-time model and we use 
real-time patterns for the specification of the system 
instead of timed extensions of temporal logic. Our 
patterns can be interpreted as a real-time extension 
to the specification patterns of |Dwyer et al. | | (T999) . 
Time patterns can be used to express constraints on 
the timing as well as the order of events, such as the 
compliance to deadline or minimum time bounds on 
the delay between events. Concerning verification, 
point (3), we work with Time Transition Systems (see 



Sect. |2|, an extension of Time Petri Nets with data 
variables and priorities. 

Our first contribution is to propose a decidable 
verification method for checking real-time patterns 
on Time Transition Systems (TTS). The method is 
based on the use of observers and model-checking 
techniques in order to transform the verification of 
patterns into the verification of simpler LTL formula. 
Our observers are proved correct and non-intrusive, 
meaning that they compute the correct answer and 
have no impact on the system under observation. 
This is why we say our approach is verified. The 
formal framework we have defined is not only 
useful for proving the validity of formal results but 
also to check the soundness of optimisation in the 
implementation. 

Our second contribution is to provide a reference 
implementation for these timed patterns. The 
complete framework defined in this paper has 
been integrated into a verification tool chain for 
Fiacre (Berthomieu et al.~| |2008l, a high-level 



modelling language that can be compiled to TTS. 
Fiacre can be used as input language for two 
verification toolboxes: TINA, the Time Petri Net 



Analyze r tool set (Berthomieu et al. |[2004 |, and 
CADP i jGaravel et al. ||2011| . In our tool chain 
(described in Fig. [1] a Fiacre specification is 
combined with patterns and compiled into a TTS 



model using the Frac compiler (the Fiacre language 
compiler). Then the model can be checked using 
the TINA toolbox. This is not a toy example. Indeed, 
Fiacre is the intermediate language used for model 
verification in Topcased (Farail et a l. ||2006), an 
Eclipse based toolkit for critical systems, where it is 
used as the target of model transformation engines 
from var ious languages, such as SDL, BPEL or 
AADL i jBerthomieu et al. |[20 09l Therefore, through 
the connection with Fiacre, we can check timed 
patterns on many different modelling languages. 

Due to space limitations, we only give a partial 
descriptions of our timed patterns and give only part 
of our theoretical results. A complete catalogue of 
ti med sp ecification patterns is given in ,Abid et HL\ 
[] | |201 1af , while the complete formal framework is 
defined in a long version of this paper | |Abid et aU 
[201 1b^ 

For the purpose of this work, we focus on a 
simple deadline pattern, named leadsto, and define 
different classes of observers that can be used 
to check this pattern. We define observers for the 
leadsto patterns that are based on the monitoring 
of places or transitions. In addition to these two 
traditional kind of observers, we propose a class 
of TTS observers that monitor data modifications. 
The goal is to choose the most efficient observer 
in practice. We give some experimental results on 
the impact of the choice of observer on the size 
of the state graphs that need to be generated — 
that is on the space complexity of our verification 
method — and on the verification time. The goal of 
this particular study is not to define a method for 
automatically generating an observer from a pattern. 
Instead, we define a set of possible observers that 
are compared in order to choose the best one in 
practice. 

Outline 

The paper is organised as follows. We start by 
introducing our formal framework in Sect. |2] This 
section is useful to define the notion of composition 
and non-interference for our observers. In Sect. |3] 
and |4l we describe a subset of our real-time 
specification patterns and the verification framework. 
We describe the implementation of our tool chain 
and give some experimental results on the use of the 
leadsto pattern in Sect.js) We conclude with a review 
of the related work, an outline of our contributions 
and some perspectives on future work. 

2. FORMAL FRAMEWORK 

We define some formal notations that are used 
in the remainder of this paper. In our approach, 
the observers and the systems are presented as 



act: dbl := false 
pre: dbl == false 




pre: dbl == true 
act: dbi := false 



Figure 2: The double-click example in TTS 



Time Transition System (TTS), an extension of Time 



Petri Nets (TPN) (see e.g. Merlin |pr974i with data 



variables and priorities. Our formal framework is 
based on the work of [Peres et al. | | |20 1 1 ), where the 
authors define formally the composition of two TPN. 
Their presentation has been extended to the full TTS 
model in |Abid et an i |2011bf . 



The notion of composition is important in our work 
since we use TTS models for both the system 
and the observer and, for verification, we use TTS 
composition to graft the system with the observer. 

This section is organised as follows: first, we 
introduce informally a TTS example. Then, we give 
a formal definition of TPN following the presentation 



of [Peres et al. 1 1 |201 1) , which is then extended to 
TTS. The semantics of TTS is defined using sets of 
timed traces. Finally, we define the composition of 
two TTS. 

2.1 . Informal Presentation of the TTS Model 

We introduce next a graphical syntax of TTS using 
a simple example that models the behaviour of a 
mouse button with double-clicking, as pictured in 
Fig. |2] The behaviour, in this case, is to emit the 
event double if there are more than two click events 
in strictly less than one unit of time (u.t.). 

Ignoring at first side conditions and side effects (the 
pre and act expressions inside dotted rectangles), 
the TTS in Fig.|2]can be viewed as a TPN with one 
token in place so as its initial marking. From this 
"state", a click transition may occur and move the 
token from so to si. With this marking, the internal 
transition r is enabled and will fire after exactly one 
unit of time, since the token in si is not consumed 
by any other transition. Meanwhile, the transition 
labeled click may fire one or more times without 
removing the token from si, as indicated by the read 
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Figure 1: The global verification tool chain 



arc (arcs ending with a black dot). After exactly one 
unit of time, because of the priority arc (a dashed 
arrow between transitions), the click transition is 
disabled until the token moves from si to S2. 

Data is managed within the act and pre expressions 
that may be associated to each transition. These 
expressions may refer to a fixed set of variables that 
form the store of the TTS. Assume i is a transition 
with guards actt and pre*. In comparison with a 
TPN, a transition < in a TTS is enabled if there is both: 
(1) enough tokens in the places of its pre-condition; 
and (2) the predicate pret is true. With respect to 
the firing of t, the main difference is that we modify 
the store by executing the action guard actt- For 
example, when the token reaches the place S2 in the 
TTS of Fig.|2] we use the value of the variable dbl to 
test whether we should signal a double click or not. 

2.2. Labeled Time Petri Nets and Time 
Transition Systems 

Labeled Time Petri Nets (or TPN) extend Time Petri 
Nets ( Merlin ,,1974) with an action alphabet and a 
function labelling the transitions with those actions. 

Notation : Let /+ be the set of nonempty real 
intervals with non negative rational endpoints. For 
i e /+ , the symbol ii denotes the left end-point of 
the interval i and its right end-point, if i is bounded, 
or oo otherwise. We use N to denote the set of non 
negative integers. 

Definition 1 A labeled Time Petri Net (or TPN) is a 

8-tuple [P, T, B, F, Mo, Is,T,^ L) in which: 

• P is a finite set of places p^; 

• T is a finite set of transitions U; 

• B is the backward incidence function 

B -.T^ P^N; 



• F is the forward incidence function 

F-.T^P^N; 

• Mq is the initial marking function 

Mo-.P^ N; 

• Is is a function called the static interval function 

Function Is associates a temporal interval 
Is{t) e /+ with every transition of the 
system. ils{t) and t^sit) are called the static 
earliest and latest firing times oft, respectively. 
Assuming that a transition t became enabled 
at time t, then t cannot fire before (t + |/s(i)) 
and no later than (r + tisit)) unless disabled 
by firing some other transition. 

• X) 's a finite set of actions, or labels, not 
containing the silent action e; 

• L : T ^ I]U{e} is a transition labelling 
function. 

A marking is a function M : P ^ N that records the 
current (dynamic) value of the places in the net, as 
transitions are fired. The transition t e T is enabled 
by M iff {M ^ B{t)). The dynamic interval function 
I : T ^ 1+ is a mapping from transitions to time 
intervals. The dynamic interval function is used to 
record the current timing constraints associated to 
each transition, as time passes. 

A transition t can fire from (M, /) if t is enabled at M 
and instantly fireable, that is e I{t). In the target 
state, the transitions that remained enabled while 
t is fired {t excluded) keep their time interval, the 
intervals of the others (newly enabled) transitions are 
set to their respective static intervals. Together with 
those "discrete" transitions, a time Petri Net adds the 
ability to model the flowing of time. A transition of 
amount d (i.e. taking d time units) is possible iff d is 
less than ^I{t) for all enabled transitions t. 



The definition of TTS is a natural extension of 
TPN tinat takes variable s and priorit i es into account. 
Details are presented in |Abid et ai~| | |201 1b| . 



Definition 2 (Timed traces) A timed trace a is a 
possibly infinite sequence of events t e T and 
duration d witli d e M+. Formally, a is a partial 
mapping from Ntof = TU {d\deR+} such that 
a{i) is defined whenever a{j) is defined and i < j. 

The domain of a is written dom cr. If dom a is finite, 
the duration of a, denoted A{a), is the sum of the 
delays in a, that is E^\a{^)eR+ '^i^- 

The semantics of a TPN (r esp. TTS) is the set of its 
timed traces, (see details in |Abid et al. | | |201 1b^ ). 



2.3. Composition of TTS and Timed Traces 

We study the composition of two TTS and consider 
the relation between traces of the composed system 
and traces of both components. This operation is 
particularly significant in the context of this work, 
since both the system and the observer are TTS and 
we use composition to graft the latter to the former. 
In particular, we are interested in conditions ensuring 
that the behaviour of the observer does not interfere 
with the behaviour of the observed system. 

The "parallel composition" of labeled Petri nets is a 
fundamental operation that is used to model large 
systems by incrementally combining smaller nets. 
Basically, the composition of two labeled TPN A'^i 
and N2 is a labeled net N = {Ni \\ N2) such that: the 
places of N is the cartesian product of the places 
of Ni and N2, and the transitions of N is the fusion 
of the transitions in A^i and N2 that have the same 
label. A formal definition for the composition of two 

||201 1). Composition 



TPN is given in Peres et al. 



of TTS is basically the same | |Abid et al.~||201 1b) , 
with the noticeable restriction that transitions which 
have priority over other transitions may not be 
synchronised across components. This is required 
to ensure the compositionality theorem, which we 
introduce below. 

In the same way, we can define the composition 
of timed traces as an operation that builds a timed 
trace o-i || 0-2 from two traces o-i and 0-2 ■ The trace 
CTi II (72 is obtained by merging the events with the 
same labels. This operation is well-defined for pairs 
of composable traces. Let A^i (resp. N2) be a TPN, 
and (Ti (resp. 0-2) one of its traces. We say that ai 
and CT2 are composable iff dom ai = dom 0-2, and for 
all i e dom (Ti, (1) cri(i) = d A (i e M+ ^ a2{i) = d, 
and (2) cri(i) = i A t e T ^ L{(Ti{i)) = L{a2{i)). 

The compositionality theorem states that the 
behaviour of the composed system (expressed as 



a set of timed traces) is a subset of the behaviour 
of both components. In other terms, composing 
a system with an observer cannot generate new 
behaviour. 

Theorem 1 (Compositionality) Let Ni and N2 be 

two TTS and N = Ni \\ N2 be their composition. 
Then, for every timed trace a of N, there exist two 
timed traces, and 02, such that: (1) a, is a trace of 
Ni fori e 1..2 and (2) a = ai \\ 0-2- 

In the compositionality theorem, the trace cti (resp. 
0-2) is obtained from a by "erasing" all transitions of 
A'^2 (resp. A^i). Due to lack of space, we omit the 
proof here and invite the reader to consult |Abid~etl 
|an ( |2011b) . 

3. REAL-TII\flE SPECIFICATION PATTERNS 



We have defined in |Abid et alT~| | |2011a !l a set of 
specification patterns that can express constraints 
on the delays between the occurrences of two events 
or on the duration of a given condition. In our context, 
the event of a model can be: a transition that is fired; 
the system entering or leaving a state; a change 
in the value of variables; ...The advantage of 
proposing predefined patterns is to provide a simple 
formalism to non-experts for expressing properties 
that can be directly checked with our verification tool 
chain. Our patterns can be viewed as a real-time 
extension of Dwyer's (19991 specification patterns. 
In his seminal work, Dwyer shows through a study of 
500 specification examples that 80% of the temporal 
requirements can be covered by a small number of 
"pattern formulas". We follow a similar philosophy 
and define a list of patterns that takes into account 
timing constraints. At the syntactic level, this is 
mostly obtained by extending Dwyer's patterns with 
two kind of timing modifiers: (1) P within I, which 
states that the delay between two events declared in 
the pattern P must fit in the time interval /; and (2) 
P lasting D, which states that the condition defined 
by P must hold for at least duration D. For example, 
we define a pattern Present A after B within ]0,4] 
to express that the event A must occur within 4 unit 
of time of the first occurrence of event B, if any, 
and not simultaneously with it. Although seemingly 
innocuous, the addition of these two modifiers has a 
great impact on the semantics of patterns and on the 
verification techniques that are involved. 

We describe our patterns using a hierarchical 
classification borrowed from [Dwyer et al. | (19991, 
with patterns arranged in categories such as 
universality, absence, response, etc. In the following, 
we give some examples of absence and response 
patterns based on the TTS example of Fig.|2] Each 
of these patterns can be checked using our tool 



chain. A complete catalogue of patterns, with their 
formal definition, is given in|Abid et al. |(|2011a^. In 
this section, we focus on the "response pattern with 
delay", to give an example of how patterns can be 
formally defined and to explain our different classes 
of observers. 

3.1. Absence Pattern with Delay 

This category of patterns is used to specify delays 
within which activities must not occur. A typical 
pattern in this category is: 

absent E2 after Ei for interval [di ; ^2] , (absent) 

which asserts that a transition (labeled with) E2 
cannot occur between di and ^2 units of time after 
the first occurrence of a transition Ei. An example of 
use for this pattern would be the requirement that we 
cannot have two double clicks in less than 2 units 
of time (u.t.), that is: absent double after double 
for interval [0;2]. (This property is not true for our 
example in Fig.|2]) A more contrived example is to 
require that if there are no single clicks in the first 10 
u.t. of an execution then there should be no double 
clicks at all. This requirement can be expressed 
using the composition of two absence patterns using 
the implication operator and the reserved transition 
inlt (that identifies the start of the system): 

( absent single after inlt for interval [0; 10]) 
=^ {absent douh\e after in'it for interval [0;oo[) . 

3.2. Response Pattern with Delay 

This category of patterns is used to express that 
some (triggering) event must always be followed by 
a given (response) event within a fixed delay of time. 
The typical example of response pattern states that 
every occurrence of a transition labeled with Ei must 
be followed by an occurrence of a transition labeled 
with E2 within a time interval /. (We consider the first 
occurrence of E2 after Ei.) 

El leadsto E2 within I . (leadsto) 

For example, using a disjunction between transition 
labels, we can bound the time between a click and a 
mouse event with the pattern: click leadsto (single v 
double) within [0, 1]. 

3.3. Other Examples of Patterns 

To give a feel of the expressiveness of our patterns, 
we briefly describe some other examples. For each 
pattern, we give just a textual definition. In each 
example, Ei, E2 and E3 refer to events in the system 
and di (resp. ^2) stand for the left end-point (resp. 
right end-point) of the time interval /. 



Present Ei after E2 within / 

Predicate Ei must hold between di and d2 u.t 
after the first occurrence of E2. The pattern is also 
satisfied if E2 never holds. 

Present first Ei before E2 within / 

The first occurrence ofEi should be between di and 
d2 U.t. before the first occurrence of E2. The pattern 
also holds if E2 never occurs. 

Present Ei lasting D 

Starting from the first occurrence when the predicate 
El holds, it remains true for at least duration D. 
This pattern makes sense only if Ei is a predicate 
on states (that is, on the marking or store); since 
transitions are instantaneous, they have no duration. 

Absent Ei before E2 for duration D 

No El can occur less than D u.t. before the first 
occurrence of E2. The pattern holds if there are no 
occurrence of E2. 

El leadsto first E2 within / before E3 

Before the first occurrence ofE^, each occurrence of 
El is followed by an occurrence of E2 which occurs 
both before E3, and in the time interval I after Ei. 
The pattern holds if E^ never occurs. 

El leadsto first E2 within / after E^ 

Same than with the pattern "Ei leadsto first E2 
within I" but only considering occurrences of Ei 
after the first E^. 

3.4. Interpretation of Patterns 

We can use different formalisms to define the 
semantics of patterns. In this work, we focus on 
a denotational interpretation, based on first-order 
formulas over timed traces (with equality and trace 
composition). We illustrate our approach using the 
pattern Ei leadsto E2 within I. 

For the "denotational" definition, we say that the 
pattern Ei leadsto E2 within I is true for a TTS N if 
and only if, for every timed-trace a of N, we have: 

yai,a2.{a^aiEia2)^^ AA(a3) G / A S2 ^ C73 j 

where A(cr3) is the sum of all the duration in 0-3. The 
denotational approach is very convenient for a "tool 
developer" (for instance to prove the soundness of 
an observer implementing a pattern) since it is self- 
contained. 

For another example, the denotational definition for 
the pattern absent E2 after Ei for interval I is given 
by the following condition on the traces ct of a 



system: 



Vcri,o-2,o'3 -{cr — aiEicr2E2(J3) 

A{Ei i tTi) ^ (A(tT2) i I) 



El [max, max] E2 

er«or 



On our complete catalogue of patterns ^Abid et| 



al. 



2011_a|, we provide an alternative (equivalent) 
semantics for patterns based on MTL, a timed 



extension of linear temporal logic (see e.g. |Maler et 
ai~||2006| for a definition of the logic). For instance, 



for the leadsto pattern, the equivalent MTL formula 

is a{Ei ^ ((^£^2) U/ E2)), which reads like a LTL 
formula enriched by a time constraint on the until 
modality U. 

4. PATTERNS VERIFICATION 

We define different types of observers at the TTS 
level that can be used for the verification of patterns. 
It is important to note that we do not give an 
automatic method to generate observers. Rather, we 
define a set of observers for each patterns and, after 
selecting the "most efficient one", we prove that it 
is correct (see the discussion in Sect. [|). We make 
use of the whole expressiveness of the TTS model 
to build observers: synchronous or asynchronous 
rendez-vous (through places and transitions); shared 
memory (through data variables); and priorities. We 
believe that an automatic method for generating 
the observer, while doable, will be detrimental for 
the performance of our approach. Moreover, when 
compared to a "temporal logic" approach, we are in 
a more favorable situation because we only have to 
deal with a finite number of patterns. 

4.1 . Observers for the Leadsto Pattern 

We focus on the example of the leadsto pattern. 
We assume that some events of the system are 
labeled with Ei and some others with E2. We 
give three examples of observers for the pattern: 
El leadsto E2 within [0, max[. The first observer 
monitors transitions and uses a single place; the 
second observer monitors places; the third observer 
monitors shared, boolean variables injected into the 
system (by means of composition). We define our 
TTS observers using a classical graphical notation 
for Petri Nets, where arcs with a black circle denote 
read arcs, while arcs with a white circle are inhibitor 
arcs. (These extra categories of arcs can be defined 
in TTS and are supported in our tool chain.) The 
use of a data observer is quite new in the context of 
TTS systems. The results of our experiments seem 
to show that, in practice, this is the best choice to 
implement an observer. 

4.1.1. Transition Observer 

The observer Ot, see Fig.|3] uses a place, obs, to 
record the time since the last transition Ei occurred. 




obs 



Figure 3: Transition Observer: Ot 



The place obs in Ot is emptied if a transition labeled 
E2 is fired, otherwise the transition error is fired 
after max unit of time. The priority arc (dashed 
arrow) between error and E2 is used to observe the 
transition error even in the case where a transition E2 
occurs exactly max u.t. after the place obs was filled. 

By definition of the TTS composition operator, the 
composition of the observer Ot with the system N 
duplicates each transitions in N that is labeled Ei: 
one copy can fire if obs is empty — as a result of the 
inhibitor arc — while the other can fire only if the place 
is full. As a consequence, in the TTS N \\ Ot, the 
transition error can fire if and only if the place obs 
stays full — there has been an instance of Ei but not 
of E2 — for a duration of max. Then, to prove that N 
satisfies the leadsto pattern, it is enough to check 
that the system N \\ Ot cannot fire the transition 
error. This can be done by checking the LTL formula 

□ (terror) on the system N \\ Ot. 

The observer Ot given in Fig. |3] is deterministic 
and will "react" to the first occurrence of E2 
that miss a deadline. It is also possible to 
define a non-deterministic observer, such that some 
occurrences of Ei or E2 may be disregarded. This 
approach is safe since model-checking performs 
an exhaustive exploration of the states of the 
system; it considers all possible scenarios. This 
non-deterministic behaviour is quite close to the 
treatment obtained when compiling an (untimed) LTL 
formula "equivalent" to the leadsto pattern, namely 

□ (^1 => O-E'2), into a Buchi automaton | |Gastin et alT 
|2001| . We have implemented the deterministic and 
non-deterministic observers and compared them 
taking in account their impact on the size of 
the state graphs that need to be generated and 
on the verification time. Experiments have shown 
that the deterministic observer is more efficient, 
which underlines the benefit of singling out the 
best possible observer and looking for specific 
optimisation. 



4.1.2. Data Observer 

We define the data observer Od in Fig.|4] The data 
observer has a transition error conditioned by the 
value of a boolean variable, flag, that "takes the role" 
of the place obs in Ot (every boolean variable is 
considered to be initially set to false). Indeed, flag is 



act: flag := true 



our approach on the particular examples of ob- 
servers for the pattern Ei leadsto E2 within [0, max[, 
given in the previous section. 



I I [max, max] 
pre: flag| == true 



Eh 

CZI 

:act: flag := false: 

Figure 4: Data Observer: Od 



true between an occurrence of Ei and the following 
transition E2. Therefore, like in the previous case, to 
check if a system N satisfies the pattern, it is enough 
to check the reachability of the event error. Notice 
that the whole state of the data observer is encoded 
in its store, since the underlying net has no place. 

4.1.3. Place Observer 

We define the place observer Op in Fig. |5] In this 
section, to simplify the presentation, we assume that 
the events Ei and E2 are associated to the system 
entering some given states Si and 82. (But we can 
easily adapt this net to observe events associated 
to transitions in the system.) We also rely on a 
composition operator that composes TTS through 
their places instead of their transitions | | Peres at aT" 
201 1 1 and that is available in our tool chain. In Op, 
we use a transition labeled n whenever a token 
is placed in 5*1 and a transition T2 for observing 
that the system is in state S2 (we assume that the 
labels Ti and T2 are fresh — private to the observer — 
and should not be composed with the observed 
systems). The remaining component of Op is just like 
the transition observer. We consider both a place 
and a transition observer since, depending on the 
kind of events that are monitored, one variant may 
be more efficient than the other. 
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Figure 5: Place Observer: Op 

4.2. Proving Innocuousness and Soundness of 
Observers 

The goal of this section is to show how to prove that 
an observer for a pattern is correct. We demonstrate 



We say that an observer O for this pattern is sound 
if it can "detect" the traces of a system N that do not 
hold for the pattern. More formally, if there is a trace 
cr of iV such that: a = aiEia2E2CF^ with A(cr2) > max 
and E2 i- 0-2, then there should be a trace a' in TV || O 
such that error e g' . (The condition on the trace a 
directly follows from the denotational definition of the 
pattern, see Sect. |3.4| On the opposite, the observer 
is correct if it can detect that a system satisfies a 
pattern: if for all trace a' of iV || O we have error ^ a' 
then for all trace o- of the pattern holds. 



From our compositionality theorem, see Sect. |Z3 
we have that every trace a' of iV || O can be defined 
as the composition o- || o-o of a trace cr of the system 
N with a trace 0-0 of the observer O. Therefore, to 
prove that an observer is correct, it is enough to 
prove that the pattern does not hold for a trace o-o 
in O iff error e Sq. Indeed, if there is a trace o- in iV 
that does not hold for the pattern, then we obtain a 
trace a |j o-q in TV || O that does not hold either. 

We can use our formal framework to prove the 
soundness of an observer (work is currently under 
way to mechanise these proofs using the Coq 
interactive theorem prover). Correctness proofs are 
more complicated, since they require to reason on 
the traces of a system composed with the observer 
to figure out the behaviour of the system alone. 
Therefore, instead of proving that an observer is 
correct, we prove a stronger assumption, that is that 
observers should be innocuous. A net is said to be 
innocuous if it cannot interfere with a system placed 
in parallel. More formally, the TTS O is innocuous if 
for all TTS N and for all trace o- in there exists 
a trace CTo in O such that cr || CTo is a trace in N \\ 
O. Innocuousness means that the observer cannot 
restrict the behaviour of another system. This is 
particularly useful in our case since, with innocuous 
observer, any trace a of the observed system N 
is preserved in the composed system N \\ O: the 
observer does not obstruct the behaviour of the 
system (see Lemma[l]below). 

Instead of proving that observers are non-intrusive in 
a case by case basis, we can give a set of sufficient 
conditions for an observer O to be innocuous. These 
conditions are met by the three observers given in 
Fig-M 

Given a TTS N, we say that a transition t of 
the observer is synchronised when there exists a 
labeled transition t' of N such that L{t) = L{t') 
(and the label L{t) is not e). We write T^ync the 
set of synchronised transitions of the observer and 



Lsync the labels of the synchronised transitions. 
The transitions in T^ync are the transitions used 
by the observer to probe the system. In the 
examples defined in the previous section, the only 
synchronised transitions are the ones labeled Ei and 
E2 in the data (Od) and transition (Of) observers. We 
define T,„„„ as the set of transitions of the observer 
whose static time interval is [0,0]. By construction, 
no transiton in T^ync can also be part of T.mm- 

Lemma 1 Assume O satisfies tlie following three 
conditions: 

• all synchronised transitions have a trivial static 
time interval and no priority (that is, for every t 

in Tsync, = [0; +00 [ and t has no priority over 
another transition in O); 

• from any state of the observer, and for every 
label I e Lgync, there is at least one transition t 
in O with label I that can fire immediately; 

• from any state of the observer, there is no 
infinite sequence of transitions in Ti,nm- 

then, for all timed trace a in N there exists a timed 
trace a \\ ao in N \\ O such that Oo is a trace of O. 



The proof of Lemma [T] can be found in |Abid et 



al. 1 1 |201 1b| . A few comments on these conditions. 
The first condition is necessary for defining the 
composition of two TTS (see Sect. |2.3^ . The second 
condition ensures that the observer cannot delay the 
firing of a synchronised transition "for a non-zero 
time". Assume s is a state of the observer O and a 
a finite trace of O starting from state s. We define 
0(s,(t) to be the (necessarily unique) state reached 
by the observer after trace a has been executed. 
From the second condition, in every reachable state 
s of O, and for every label I in L{Tsync), there 
exists a (possibly empty) finite trace a not containing 
transitions in Tsync such that the duration of cr is 
and there exists t e Tsync with L{t) = I, which is 
fireable in state 0(s,(t). Note also that the observer 
cannot involve other synchronised transitions while 
reaching a state where / is firable, since this would 
abusively constrain the behaviour of the main system 
N, not to mention deadlock issues. This condition is 
true for the observer Ot in Fig. |3]since, at any time, 
exactly one of the two transitions labeled Ei (resp. 
E2) can fire. 



5. EXPERIMENTAL RESULTS 

Our verification framework has been integrated 
into a prototype extension of frac, the Fiacre 
compiler for the TINA toolbox. This extension 
supports the addition of real time patterns and 
automatically compose a system with the necessary 



observers. (Software and examples are available 

at http: //homepages. laas.fr/~nabid ) In case the 

system does not meet its specification, we obtain 
a counter-example that can be converted into a 
timed sequence of events exhibiting a problematic 
scenario. This sequence can be played back using 
two programs provided in the TINA tool set, nd and 
play. The first program is a graphical animator for 
Time Petri Net, while the latter is an interactive (text- 
based) animator for the full TTS model. 

We define the empirical complexity of an observer 
as its impact on the augmentation of the state space 
size of the observed system. For a system S, we 
define size{S) as the size (in bytes) of the State 
Class Graph (SCO) (Berthomieu et al. ,,2004 ) of S 
generated by our verification tools. In TINA, we use 
SCG as an abstraction of the state space of a TTS. 
State class graphs exhibit good properties: an SCG 
preserves the set of discrete traces — and therefore 
preserves the validation of LTL properties — and the 
SCO of S is finite if the Petri Net associated with 
S is bounded and if the set of values generated 
from 5" is finite. We cannot use the "plain" labeled 
transition system associated to S to define the size of 
S\ indeed, this transition graph maybe infinite since 
we work with a dense time model and we have to 
take into account the passing of time. 

The size of S* is a good indicator of the memory 
footprint and the computation time needed for 
model-checking the system S: the time and 
space complexity of the model-checking problem is 
proportional to size{S). Building on this definition, we 
say that the complexity of an observer O applied 
to the system S, denoted Co{S), is the quotient 
between the size of {S \\ O) and the size of S. 

We resort to an empirical measure for the complexity 
since we cannot give an analytical definition of Co 
outside of the simplest cases. However, we can give 
some simple bounds on the function Co- First of 
all, since our observers should be non-intrusive, we 
can show that the SCG of 5 is a sub graph of the 
SCG of S II O, and therefore Co{S) > 1. Also, 
in the case of the leadsto pattern, the transitions 
and places-based observers add exactly one place 
to the net associated to S. In this case, we can 
show that the complexity of these two observers is 
always less than 2; we can at most double the size 
of the system. We can prove a similar upper bound 
for the leadsto observer based on data. While the 
three observers have the same (theoretical) worst- 
case complexity, our experiments have shown that 
one approach was superior to the others. We are 
not aware of previous work on using experimental 
criteria to select the best observer for a real-time 
property. In the context of "untimed properties". 
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Figure 6: Compared complexity of the data and place observers (in percentage of system size growth)- 
invalld properties (right) and valid properties (left). 
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this approach may be compared to the problem of 
optimising the generation of Buchi Automata from 
LTL formulas, see e.g. |Gastin et al. | | |200T) . 



We have used our prototype compiler to experiment 
with different implementations for the observers. 
The goal is to find the most efficient observer 
"in practice", that is the observer with the lowest 
complexity. To this end, we have compared the 
complexity of different implementations on a fixed 
set of representative examples and for a specific 
set of properties (we consider both valid and invalid 
properties). The results for the leadsto pattern are 
displayed in Fig.jS) For the experiments used in this 
paper, we use three examples of systems selected 
because they exhibit very different features (size 
of the state space, amount of concurrency and 
symmetry in the system, . . . ): 

• TRAIN is a model of a train gate controller. 
The example models a system responsible for 
controlling the barriers protecting a railroad 
crossing gate. When a train approaches, the 
barrier must be lowered and then raised after 
the train's departure. The valid property, for the 
TRAIN example, states that the delay between 
raising and lowering a barrier does not exceed 
100 unit of time. For the invalid property, we 
use the same requirement, but shortening the 
delay to 75. 

• APOTA is an industrial use case that models 
the dynamic architecture for a network protocol 
in charge of data communications between an 
air plane and ground stations ( [Berthomieu et 
al. | |2010). This example has been obtained 



using an translation from AADL to Fiacre. 
In this case, timing constraints arise from 
timeouts between requests and periods of the 
tasks involved in the protocol implementation. 



The property, in this case, is related to 
the worst-case execution time for the main 
application task. 

• CAR is a system modelling an automated 
rail car system taken from |Dong et al. 
| |2008) . The system is composed of four 
terminals connected by rail tracks in a cyclic 
network. Several rail cars, operated from a 
central control center, are available to transport 
passengers between terminals. When a car 
approaches its destination, it sends a request 
to the terminal to signal its arrival. Passengers 
in the terminal can then book a travel in the 
car. The valid property, for the CAR example, 
states that a passenger arriving in a terminal, 
must have a car ready to transport him within 
15 unit of time. For the invalid property, we 
use the same requirement, but shortening the 
delay to 2 unit of time. 

In Fig. [6] we compare the growth in the state space 
size — that is the value of CoiS) — for the place and 
data observers defined in Sect. 14.1 1 and our three 
running examples. We do not consider the transition 
observer in these results since the events used in 
the requirements are all related to a system entering 
a state (and therefore our benchmark favor the place 
observer over the transition observer). We use one 
chart to display the result for patterns that are invalid 
and another for valid patterns. 

In Fig. [7] (page [To), we give results on the total 
verification time for the APOTA example. The value 
displayed in the table refer to the time spent 
generating the complete state space of the system 
and verifying the property. The row SYSTEM gives 
the time needed for exploring the complete state 
space of the system (without adding any observer) 
while "VALID" and "INVALID" refer to the state space 



of the system synchronised with data observer and 
state observer in the case of valid and invalid 
property respectively. 

In our experiments, we have consistently observed 
that the observer based on data is the best choice; 
it is the observer giving the minimal execution time 
in almost all the cases and that seldom gives the 
worst result. We can explain the efficiency of the data 
observer by the fact that it adds less transitions than 
the state observer; which means that it adds less 
intermediary states to the state space of {N \\ O). 
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Figure 7: Total verification time forAPOTA (in seconds) 



6. RELATED WORK 

Two broad approaches coexist for the definition 
and verification of real-time properties: (1) real-time 
extensions of temporal logic ( Henzinger _,1998) ; 
and (2) observer-based approaches, such as the 
Context Description Languages (CDL) of Dhaussy et 
al. (Raji et al. .2010) or a pproaches based on timed 
autom ata | |Ma'ler et al.~||2006[ |Aceto et an|1998 ' 
|2003) . 



Obviously the logic-based approach provides most 
of the theoretically well-founded body of works, 
such as complexity results for different fragments 
of real-time temporal logics i lHenzingeF^ |1998} : 
Temporal logic with clock constraints (TPTL); 
Metric Temporal Logic — with or without interval 
constrained operators — ; Event Clock Logic; etc. The 
algebraic nature of logic-based approaches make 
them expressive and enable an accurate formal 
semantics. However, it may be impossible to express 
all the necessary requirements inside the same logic 
fragment if we ask for an efficient model-checking 
algorithm (with polynomial time complexity). For 
example, Uppaal ( |Behrmann et al. ||2004f chose 
a restricted fragment of TCTL with clock variables, 
while Kronos provide a more expressive framework, 
but at the cost of a much higher complexity. As 
a consequence, selecting this approach requires 
to develop model-checkers for each interesting 
fragment of these logics — and a way to choose 
the right tool for every requirement — which may be 
impractical. 

Pattern-based approaches propose a user-friendly 
syntax that facilitates their adoption by non-experts. 
However, in the real-time case, most of these 



approaches lack in theory or use inappropriate 
definitions. One of our goal is to re verse this 
situation. In the seminal work of Dwyer et al. 



fr999) , patterns are defined by translation to formal 
frameworks, such as LTL and CTL. There is no 
need to provide a verification approach, in this case, 
since efficient model-checkers are available for these 
logics. This work on patterns h as been ex tended to 
the real-time case. For example,| Konrad et al. (200^ 



extends the patterns language with time constraints 
and give a mapping from timed pattern to TCTL 
and MTL, but they do not study the decidability of 
the verification method (the implementability of their 
approach). Another related work is (Gruhn et al 



2006) , where the authors define observers based 
on Timed Automata for each pattern. However, they 
do not provide a formal framework for proving the 
correctness or the innocuousness of their observers 
and they have not integrated their approach inside a 
model-checking tool chain. 



Conc erning observ er-based approaches, |Aceto et 
| |2003| [T998) use test automata to check 



al. 



properties of reactive systems. The goal is to identify 
properties on timed automata for which model 
checking can be reduced to reachability checking. In 
this framework, verification is limited to safety and 
bounded liveness properties. In the context of Time 
Petri Net, a similar approach has been experimented 
| |1997 ), but they propose a 
for observers and consider 



by [Toussaint et 
less 



al. 



general model 
only two verification techniques over four kinds of 

||2005^ 



time constraints. Bayse et al. | ||^uubl propose a 
method to verify the correctness of their approach 
formally. However, they do not prove formally all their 
invariants (patterns in our case). 

7. CONTRIBUTIONS AND PERSPECTIVES 

In contrast to these related works, we make the 
following contributions. We reduce the problem of 
checking real-time properties to the problem of 
checking LTL properties on the composition of the 
system with an observer. We define also a real-time 



patterns language based on the work of | Dwyer et 
| |1999} and inspired from real-case studies. To 



al. 



choose the best way to verify a pattern, we defined, 
for each pattern, a set of non-intrusive observers. 
We are based on a formal framework to verify the 
correctness of an observer, whether it can interfere 
with the behaviour of the system under observation. 

Our approach has been integrated into a complete 
verification tool chain for the Fiacre modelling 
language and can therefore be used in conjunction 
with Topcased (Fa rail et ai~ |'2006). We give several 
experimental results based on the use of this tool 
chain in Sect. |5] The fact that we implemented 



our approach has influenced our definition of the 
observers. Indeed, another contribution of our work 
is the use of a pragmatic approach for comparing 
the effectiveness of different observers for the same 
property. Our experimental results seem to show that 
data observers look promising. 

We are following several directions for future work. 
A first goal is to define a new low-level language for 
observers — adapted from the TTS model — equipped 
with more powerful optimisation techniques and with 
easier soundness proofs. On the theoretical side, 
we are currently looking into the use of mechanised 
theorem proving techniques to support the validation 
of observers. On the experimental side, we need 
to define an improved method to select the best 
observer. For instance, we would like to provide a 
tool for the "syntax-directed selection" of observers 
that would choose (and even adapt) the right 
observers based on a structural analysis of the target 
system. 
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